ABSTRACT
A smart card is a credit-card-sized
device containing one or more integrated circuit chips, which perform the functions
of a microprocessor, memory, and an input/output interface. Smart cards, and other
related devices, may be used to provide an increased level of security in applications
requiring controlled access to sensitive information. This
publication describes the basic components
of a smart card, and the goals and obstacles of smart card application development.
Possible roles for smart cards in modern computer security systems and research
conducted at the National Bureau of Standards (NBS) in the area of smart card access
control systems are discussed. A forecast is made for the characteristics and applications
of future smart cards and related devices. An overview of current standards activities
for smart cards is given in an appendix.
Key words: Access control;
authentication,- biometrics; computer security; cryptography;Data Encryption Standard
(DES); electrically erasable programmable read only memory(EEPROM); erasable programmable
read only memory (EPROM); integrated circuit card;microcomputer; reader/writer device;
smart card; token.
INTRODUCTION
With microscopic electronic circuits placed
inside credit-card-sized plastic carriers, smart cards offer the possibility that
someday most individuals will carry their own computers in their pockets. Smart
cards may greatly facilitate a wide range of information processing activities:
Applied in banking, telephone services, medical records systems,and other areas,
smart cards can provide users with both a secure medium for storing and carrying
personal information and a means for accessing resources in a network of computers.
As the use of computers and computer networks
has grown to encompass more andmore of everyday life, the demand for effective computer
security strategies has become more urgent. Smart cards, which are capable of both
securely storing and processing data,may play a key role in improving the security
of many computer systems.
Overview and Scope of this Document
This document describes the basic components
of a smart card and provides background information on the underlying integrated
circuit technologies. The capabilities of a smart card are discussed, with emphasis
on the use of the smart card in computer security applications. Research
conducted at the National Bureau of Standards (NBS) on smart card access
control techniques is described. A forecast is made on expected developments in
smart card technology. The appendix outlines the major U.S. and international groups
involved in the development of standards for smart cards and related devices.
This document is intended to provide the
reader with a general understanding of the use of smart card technology in computer
access control. Several factors which must be considered in examining the security
requirements of a computer system are discussed. It should be recognized, however,
that smart cards and access control techniques are just one part of an overall computer
security program. In accordance with the Brooks Act (P.L.89-306) and the Computer
Security Act of 1987 (P.L. 100-235), NBS develops guidelines,technology forecasts,
and other documents to provide information on a wide range of computer security
topics. Information about these documents is available in NBS Publications List
91, "Computer Security Publications."
The Definition of a Smart Card
The term "smart card" has been
used as a label for a wide variety of hand-held plastic devices containing mechanisms
for storing and/or processing information. There is much debate over exactly what
capabilities and characteristics a device must have in order to be considered a
smart card. One source states that a smart card is implemented "in a piece
of plastic the size of a credit card" and that "each smart card
contains its own central processing unit [which is] essentially a small computer."
[MCIV 85, p. 152] Another source, with a broader definition, suggests that a smart
card "consists of an integrated circuit chip or chips packaged in a
convenient form to be carried on one's person." [SVGL 85, p. l] With the latter
definition, the category of smart cards includes integrated circuit data storage
cards and key-shaped devices, which may not have any computational powers.Magnetic
stripe and optical laser storage cards have also sometimes been referred to as smart
cards, because they have data storage capacity.
As researchers and manufacturers struggle
to develop and distribute products in step with the latest technological advances,
confusion over the terminology of new devices arises.For purposes of
discussion, this document will use the following definition of a smart card:
A smart card is a credit-card-sized
device containing one or more integrated circuit chips, which perform the functions
of a microprocessor, memory, and an input/output interface.Devices which are not
of standard credit card size (i.e., plastic keys and dogtags, or cards which are
thicker than the standard credit card), but which otherwise conform to this definition,
will be referred to in this document as "smart tokens."
Smart Cards and the International Organization
for Standardization (ISO)
The International Organization for Standardization
(ISO) develops voluntary internationalstandards in many scientific, technological,
and economic fields. ISO has not defined or produced standards for any devices specifically
labelled as "smart cards."
ISO is, however, actively involved in the
development of standards for what ISO calls an integrated circuit card (ICC). Some
of the fundamental characteristics of an ISO ICC are:
- The ICC contains one or more integrated
circuits.
- The length (3.370 inches), width (2.125
inches), and thickness (0.030 inches) of an ICC are the same as the dimensions of
a standard credit card.
- The ICC allows spaces on the surface
of the card for magnetic stripe and embossed data storage, in order to allow
compatibility with existing technologies.
(An outline of ISO integrated circuit card
standards activities is given in the appendix.)
Smart cards, as defined in this document,
are similar to ISO IC cards except that
1) smart cards do not necessarily have
magnetic stripe and embossing areas, and
2) smart cards must have processing capability.
The ability of the smart card to process information, and not simply store it, is
of vital importance in applications in which the security of sensitive information
must be maintained. The following section presents a simple example of how a smart
card system can be used to protect sensititive data.
Security in a Generalized Smart Card
System
A generalized smart card system contains
a smart card, a smart card reader/writer device, a terminal, a host computer, and
the connections necessary to interface these components On a superficial level,
a smart card system resembles conventional data storage card systems, such as automated
teller machine (ATM) systems which use magnetic stripe cards.
However, because smart cards have computing
powers and greater capacity for protected data storage, smart card systems can provide
increased flexibility and security in many applications.
For example, a company that has
proprietary information stored in its main computer could use a smart card system
to maintain and protect this sensitive data in a scenario such as the following:
A smart card is issued to each employee
who has a need to access the computer system. Each employee's card is programmed
with unique information, such as a personal identification number (PIN). The smart
card's microcomputer performs a secret one-way transformation* on this PIN, to render
it unreadable, and then stores the transformed PIN in a secret part of its memory.
